There is a storm brewing at the University of Nebraska. After a member of the school's information technology department discovered the data breach on May 23, the university distributed a notice on May 25 that the Nebraska Student Information Service, NeSIS, which contains sensitive information about students, alumni, and applicants had been accessed by unauthorized users.
Individuals are concerned because the types of data exposed or stolen includes school records, addresses, bank account information, and Social Security numbers. The breached database contains records for more than 650,000 individuals. The breach affects students, alumni, and applicants of the university’s four campuses, the Nebraska College of Technical Agriculture, plus university employees and parents of students who applied for financial aid.
In a letter to breach victims, Joshua Mauk, the university's Information Security Officer stated:
"On May 23, 2012, University personnel detected a security breach in the system indicating that an unauthorized individual had gained high-level access to the restricted database. This was a sophisticated and skilled attack on our system. Information in the system includes Social Security numbers, any bank account information associated with the NeSIS account, and personal and academic data. Our records indicate that you have a bank account that is associated with your NeSIS account, so we are writing to notify you of this breach and to advise you to monitor your bank accounts over the next several weeks and report any suspicious activity to your financial institution."
The letter also advises individuals to monitor their financial accounts and to consider placing a fraud alert or security freeze on their credit reports at the major credit reporting firms: Equifax, Experian, and TransUnion. The final number of records exposed/stolen has not been determined yet.
A breach investigation is underway by Nebraska University with local and federal law enforcement. The university has set up the http://nebraska.edu/security website to distribute updates about the breach and breach investigation.
Data security has been an issue in higher education since at least 2005: George Mason University (32,000 records). Recent, notable data breaches:
- May 3, 2012: University of Pittsburgh: undisclosed
- April 30, 2012: Volunteer State Community College (Tennessee): 14,000 records
- April 18, 2012: Emory Healthcare, Emory University Hospital: 315,000 records
- April 14, 2012: Texas A&M University: 4,000 records
- April 10, 2012: Case Western Reserve University: 600 records
- March 31, 2012; San Francisco State University: undisclosed
- March 16, 2012: University of Tampa: 30,000 records
- March 14, 2012: Humboldt State University: 5,700 records
- March 13, 2012: Brigham Young University: 1,300 records
- February 16, 2012: Central Connecticut State University: 18,763 records
- February 15, 2012: University of North Carolina at Charlotte: 350,000 records
- January 27, 2012: Indiana University (President's Challenge): 650,000 records
- January 20, 2012: Arizona State University: 300,000 records
Breach history source: Privacy Rights Clearinghouse